From nobody Thu Oct 2 15:34:42 2025 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DED1929B204 for ; Tue, 16 Sep 2025 09:01:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758013290; cv=none; b=ntnQwykfIvYlFQrzsOp+RHE3ByC/FmDrlAZV7IeRtPPH1EmQWY0P+cMJJ85YeOEJmfSKHm+AEArZvAezL8PnRqjuFEVnBPVs85sW3809tA557KmgieXro2oMIcIpWUenp6M+kb4C8C4LxdmsP+9a8rtnq+3gA2ih30tIGs13yks= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758013290; c=relaxed/simple; bh=6hHHbFntCUYSD3HBZLJcRkhdW7KpSm3FgA41veMYbnA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eOH9/1mjQS4KfxEXE6opkGyQ4J4fs1Y0mjuOst4GnBgWRWuEMjtWPOKN5bcbWXapPteUfyCcNYpkQ6mxz5YCBy4opJx/OxEpei1x5XqOxrk+10MG0syau0v/n1K4MJ1h8re5zdnqZpsDYPEbDD0tWE3yGlGMiXdzesQ+goko7Z0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=E89ov6kE; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E89ov6kE" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-45df0cde41bso38101005e9.3 for ; Tue, 16 Sep 2025 02:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1758013286; x=1758618086; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xdmcBIJJ/dIrmboz2dj1USPN5mnOnIS9n3oFxB4eaBc=; b=E89ov6kEPJR1H4p5K3KteNzcEruBDSpuqzB/I2CNsZfLVymoTGmOr6ISsEI1FBqYFK 8n6XaNzI/doOn/EWtnZjh2JiV9UBC+KyInwr6KZZD7blGK0b+inTCw380reab8cEk4g0 3mQvhDY2TiZt99HjqBtc+sGAeZNAuhkzKR+tMYh0PUrLVJgenjM3feSJ9c+0RFUbbmJI BvnbCT9qCEmFpmoUfCe/WPyux6Y2Exw7uLC6nWrk05zfMMpjJ96fgE4NLPQ+pXOcGmVJ dOocydVLBu7AaKAcJFyOzqvNYC7mS/kEud8XpkCBrzncRRmx2TPEyL8TZH2OTKKp4jnM eVfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758013286; x=1758618086; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xdmcBIJJ/dIrmboz2dj1USPN5mnOnIS9n3oFxB4eaBc=; b=t/Cb2W5m976HsXdCBA//NVvOS/A21xqmU49b+429DRp1WTXBeLkWDmV/lrPhExm0Yh 0uLrRI4Pyjd58Igy32hMQqlviBU48Hwjd2Afdx7ykO7Wn1UAoautQFsW7+d5lnthkC8y z4EVHclRh2eS5LY17p2AkXNQUWAIsnvJguChMHAcQw3Iob6ZDw/TUcRHb0KuW1t6YFVs 9lbH6yGOMGs9Migd3PKA3uIyAGclt9BWxTx45RxJkJ9gOodLzlTtkIkuXJNm0PUrx/t9 rLHn4uQu9lQeF1FIjGtngdS0Ejb8paapsN65Ssz8o69d0L9xM7p1vop/hgC7Hbna/HqA 9JfA== X-Forwarded-Encrypted: i=1; AJvYcCWvk7n1BkARFonmJr/u7iwoNjJ2uoMU6u2dMv3FZ2PmFZ0Ty6PXHqItaaRUB8VDArkytZbPlYGnDcDQyPM=@vger.kernel.org X-Gm-Message-State: AOJu0YwtYVthThD0/BUEQyBAmviYRyRsO5Xtnn7Fu4qrN1LN7f/VGAXI KhbBEJaw/I89MDXfaUJwcQPEMgXWTRq5SZOOhcfUOu+JCoerSGZKf/bJ X-Gm-Gg: ASbGncuTn+mvvNGRcp+PdYMGFTP+FXyZuihhVLtwA0u7gp8CaUXGMCHiRr9yp4xKdqv GpZ7VBlrMApHVKn10/YwWtoQ7UFmOChd4YNugA49tlbB2IEhfXr81SkfPGbJhu1+hSevHwqPute vklXYPXo7+h9BiIghJXoWmCiO6z1nN1Sd5E4FKKJNQdQh+qwl9YijxOWVV1JjqAeyL9KEVDbz5e UKi65iVQxm5TXplAOcUgcpEexP/QSBe/+zS0jNUgYvcabSSWgqM2XpmxuD10yyoM53dBf4Dpdn4 pytw6GUkIQ7stNhoGk/UTq5sl3gh3kUEUOSucZAxNM0S9x7ZO2o6cO/pspSCAKac55ugv/umsXo 7f57OmFR2qWhE0m8TkDurMsxYHqVZe5zx0iujcaOjwp2MrAig7E7pvWRWl+AFfzEmOJsDr3atL6 xHr1Yxytgni5vp X-Google-Smtp-Source: AGHT+IEadfbP3jNYyOIN5QPnIDkgoE5rEixgqXRhdDXaUoboFgkfVk5OQ6KluvW7vDOuiRH8ZlKDbQ== X-Received: by 2002:a05:600c:12c8:b0:459:d645:bff7 with SMTP id 5b1f17b1804b1-45f211d075emr98840705e9.12.1758013285667; Tue, 16 Sep 2025 02:01:25 -0700 (PDT) Received: from xl-nested.c.googlers.com.com (42.16.79.34.bc.googleusercontent.com. [34.79.16.42]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-45e037186e5sm212975035e9.5.2025.09.16.02.01.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Sep 2025 02:01:24 -0700 (PDT) From: Ethan Graham To: ethangraham@google.com, glider@google.com Cc: andreyknvl@gmail.com, andy@kernel.org, brauner@kernel.org, brendan.higgins@linux.dev, davem@davemloft.net, davidgow@google.com, dhowells@redhat.com, dvyukov@google.com, elver@google.com, herbert@gondor.apana.org.au, ignat@cloudflare.com, jack@suse.cz, jannh@google.com, johannes@sipsolutions.net, kasan-dev@googlegroups.com, kees@kernel.org, kunit-dev@googlegroups.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lukas@wunner.de, rmoar@google.com, shuah@kernel.org, tarasmadan@google.com Subject: [PATCH v1 06/10] kfuzztest: add KFuzzTest sample fuzz targets Date: Tue, 16 Sep 2025 09:01:05 +0000 Message-ID: <20250916090109.91132-7-ethan.w.s.graham@gmail.com> X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog In-Reply-To: <20250916090109.91132-1-ethan.w.s.graham@gmail.com> References: <20250916090109.91132-1-ethan.w.s.graham@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ethan Graham Add two simple fuzz target samples to demonstrate the KFuzzTest API and provide basic self-tests for the framework. These examples showcase how a developer can define a fuzz target using the FUZZ_TEST(), constraint, and annotation macros, and serve as runtime sanity checks for the core logic. For example, they test that out-of-bounds memory accesses into poisoned padding regions are correctly detected in a KASAN build. These have been tested by writing syzkaller-generated inputs into their debugfs 'input' files and verifying that the correct KASAN reports were triggered. Signed-off-by: Ethan Graham Acked-by: Alexander Potapenko --- samples/Kconfig | 7 ++ samples/Makefile | 1 + samples/kfuzztest/Makefile | 3 + samples/kfuzztest/overflow_on_nested_buffer.c | 71 +++++++++++++++++++ samples/kfuzztest/underflow_on_buffer.c | 59 +++++++++++++++ 5 files changed, 141 insertions(+) create mode 100644 samples/kfuzztest/Makefile create mode 100644 samples/kfuzztest/overflow_on_nested_buffer.c create mode 100644 samples/kfuzztest/underflow_on_buffer.c diff --git a/samples/Kconfig b/samples/Kconfig index 6e072a5f1ed8..5209dd9d7a5c 100644 --- a/samples/Kconfig +++ b/samples/Kconfig @@ -320,6 +320,13 @@ config SAMPLE_HUNG_TASK Reading these files with multiple processes triggers hung task detection by holding locks for a long time (256 seconds). =20 +config SAMPLE_KFUZZTEST + bool "Build KFuzzTest sample targets" + depends on KFUZZTEST + help + Build KFuzzTest sample targets that serve as selftests for input + deserialization and inter-region redzone poisoning logic. + source "samples/rust/Kconfig" =20 source "samples/damon/Kconfig" diff --git a/samples/Makefile b/samples/Makefile index 07641e177bd8..3a0e7f744f44 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -44,4 +44,5 @@ obj-$(CONFIG_SAMPLE_DAMON_WSSE) +=3D damon/ obj-$(CONFIG_SAMPLE_DAMON_PRCL) +=3D damon/ obj-$(CONFIG_SAMPLE_DAMON_MTIER) +=3D damon/ obj-$(CONFIG_SAMPLE_HUNG_TASK) +=3D hung_task/ +obj-$(CONFIG_SAMPLE_KFUZZTEST) +=3D kfuzztest/ obj-$(CONFIG_SAMPLE_TSM_MR) +=3D tsm-mr/ diff --git a/samples/kfuzztest/Makefile b/samples/kfuzztest/Makefile new file mode 100644 index 000000000000..4f8709876c9e --- /dev/null +++ b/samples/kfuzztest/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0-only + +obj-$(CONFIG_SAMPLE_KFUZZTEST) +=3D overflow_on_nested_buffer.o underflow_= on_buffer.o diff --git a/samples/kfuzztest/overflow_on_nested_buffer.c b/samples/kfuzzt= est/overflow_on_nested_buffer.c new file mode 100644 index 000000000000..2f1c3ff9f750 --- /dev/null +++ b/samples/kfuzztest/overflow_on_nested_buffer.c @@ -0,0 +1,71 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * This file contains a KFuzzTest example target that ensures that a buffer + * overflow on a nested region triggers a KASAN OOB access report. + * + * Copyright 2025 Google LLC + */ + +/** + * DOC: test_overflow_on_nested_buffer + * + * This test uses a struct with two distinct dynamically allocated buffers. + * It checks that KFuzzTest's memory layout correctly poisons the memory + * regions and that KASAN can detect an overflow when reading one byte pas= t the + * end of the first buffer (`a`). + * + * It can be invoked with kfuzztest-bridge using the following command: + * + * ./kfuzztest-bridge \ + * "nested_buffers { ptr[a] len[a, u64] ptr[b] len[b, u64] }; \ + * a { arr[u8, 64] }; b { arr[u8, 64] };" \ + * "test_overflow_on_nested_buffer" /dev/urandom + * + * The first argument describes the C struct `nested_buffers` and specifie= s that + * both `a` and `b` are pointers to arrays of 64 bytes. + */ +#include + +static void overflow_on_nested_buffer(const char *a, size_t a_len, const c= har *b, size_t b_len) +{ + size_t i; + pr_info("a =3D [%px, %px)", a, a + a_len); + pr_info("b =3D [%px, %px)", b, b + b_len); + + /* Ensure that all bytes in arg->b are accessible. */ + for (i =3D 0; i < b_len; i++) + READ_ONCE(b[i]); + /* + * Check that all bytes in arg->a are accessible, and provoke an OOB on + * the first byte to the right of the buffer which will trigger a KASAN + * report. + */ + for (i =3D 0; i <=3D a_len; i++) + READ_ONCE(a[i]); +} + +struct nested_buffers { + const char *a; + size_t a_len; + const char *b; + size_t b_len; +}; + +/** + * The KFuzzTest input format specifies that struct nested buffers should + * be expanded as: + * + * | a | b | pad[8] | *a | pad[8] | *b | + * + * where the padded regions are poisoned. We expect to trigger a KASAN rep= ort by + * overflowing one byte into the `a` buffer. + */ +FUZZ_TEST(test_overflow_on_nested_buffer, struct nested_buffers) +{ + KFUZZTEST_EXPECT_NOT_NULL(nested_buffers, a); + KFUZZTEST_EXPECT_NOT_NULL(nested_buffers, b); + KFUZZTEST_ANNOTATE_LEN(nested_buffers, a_len, a); + KFUZZTEST_ANNOTATE_LEN(nested_buffers, b_len, b); + + overflow_on_nested_buffer(arg->a, arg->a_len, arg->b, arg->b_len); +} diff --git a/samples/kfuzztest/underflow_on_buffer.c b/samples/kfuzztest/un= derflow_on_buffer.c new file mode 100644 index 000000000000..02704a1bfebb --- /dev/null +++ b/samples/kfuzztest/underflow_on_buffer.c @@ -0,0 +1,59 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * This file contains a KFuzzTest example target that ensures that a buffer + * underflow on a region triggers a KASAN OOB access report. + * + * Copyright 2025 Google LLC + */ + +/** + * DOC: test_underflow_on_buffer + * + * This test ensures that the region between the metadata struct and the + * dynamically allocated buffer is poisoned. It provokes a one-byte underf= low + * on the buffer, which should be caught by KASAN. + * + * It can be invoked with kfuzztest-bridge using the following command: + * + * ./kfuzztest-bridge \ + * "some_buffer { ptr[buf] len[buf, u64]}; buf { arr[u8, 128] };" \ + * "test_underflow_on_buffer" /dev/urandom + * + * The first argument describes the C struct `some_buffer` and specifies t= hat + * `buf` is a pointer to an array of 128 bytes. The second argument is the= test + * name, and the third is a seed file. + */ +#include + +static void underflow_on_buffer(char *buf, size_t buflen) +{ + size_t i; + + pr_info("buf =3D [%px, %px)", buf, buf + buflen); + + /* First ensure that all bytes in arg->b are accessible. */ + for (i =3D 0; i < buflen; i++) + READ_ONCE(buf[i]); + /* + * Provoke a buffer overflow on the first byte preceding b, triggering + * a KASAN report. + */ + READ_ONCE(*((char *)buf - 1)); +} + +struct some_buffer { + char *buf; + size_t buflen; +}; + +/** + * Tests that the region between struct some_buffer and the expanded *buf = field + * is correctly poisoned by accessing the first byte before *buf. + */ +FUZZ_TEST(test_underflow_on_buffer, struct some_buffer) +{ + KFUZZTEST_EXPECT_NOT_NULL(some_buffer, buf); + KFUZZTEST_ANNOTATE_LEN(some_buffer, buflen, buf); + + underflow_on_buffer(arg->buf, arg->buflen); +} --=20 2.51.0.384.g4c02a37b29-goog